.TH AIDE.CONF 5 "2023-02-06" "aide v0.18" "AIDE"
.SH NAME
aide.conf - The configuration file for Advanced Intrusion Detection
Environment
.PP
.SH SYNOPSIS
\fBaide.conf\fP is the configuration file for Advanced Intrusion
Detection Environment. \fBaide.conf\fP contains the runtime
configuration aide uses to initialize or check the AIDE database.
.PP
.SH "FILE FORMAT"
aide.conf is case-sensitive. Leading and trailing white spaces are
ignored. Each config lines must end with new line.
.PP
AIDE uses the backslash character (\fB\e\fR) as escape character for ' '
(space), '@' and '\e' (backslash) (e.g. '\e ' or '\e@'). To literally match a '\fB\e\fR'
in a file path with a regular expression you have to escape the backslash
twice (i.e. '\fB\e\e\e\e\fR').
.PP
There are three types of lines in \fBaide.conf\fP. First there are the
configuration options which are used to set configuration parameters and
define groups. Second, there are (restricted) rules that are used to indicate
which files are added to the database. Third, macro lines define or undefine
variables within the config file. Lines beginning with # are ignored as
comments.
.PP

.SH "CONFIG OPTIONS"
.PP
These lines have the format parameter=value. See URLS for a list of
valid urls.
.PP
.TP
database_in (type: URL, default: see \fB--version\fP output, added in AIDE v0.17)
.TQ
database (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
The url from which database is read. There can only be one of these
lines. If there are multiple database lines then the first is used.

.RS
.B Examples:

.RS 3
.nf
.B database_in=file:/var/lib/aide/aide.db
.fi

.RS 3
Read database locally from \fI/var/lib/aide/aide.db\fR.
.RE

.RE

.RS 3
.nf
.B database_in=stdin
.fi

.RS 3
Read database from \fIstdin\fR.
.RE

.RE

.RS 3
.nf
.B database_in=https://example.com/aide.db
.fi

.RS 3
Read database remotely from \fIhttps://example.com/aide.db\fR.
.RE

.RE

.RE

.IP "database_out (type: URL, default: see \fB--version\fP output)"
The url to which the new database is written to. There can only be one
of these lines. If there are multiple database_out lines then the
first is used.
.IP "database_new (type: URL, default: \fB<none>\fP)"
The url from which the other database for \-\-compare is read.
.IP "database_attrs (type: attribute expression, default: \fBH\fP, added in AIDE v0.16)"
The attributes of the (uncompressed) database files which are to be added to
the reports in report level >= \fBdatabase_attributes\fP . Only checksum attributes are
supported. To disable set
.I database_attrs
to
.RB ' E '.
.IP "database_add_metadata (type: bool, default: \fBtrue\fR, added in AIDE v0.16)"
Whether to add the AIDE version and the time of database generation as comments
to the database file or not. This option may be set to false by default in a
future release.

.IP "log_level (type: log level, default: \fBwarning\fR, added in AIDE v0.17)"
The log level to use. Log messages are written to \fIstderr\fR. If there are
multiple \fIlog_level\fR lines then the first one is used. The \-\-log-level or
\-L command line option overwrites this option.

.RS
The following log levels are available:

.RS
\fBerror\fP: show unrecoverable issues that have to be handled by the user. Errors are fatal to the AIDE process.

\fBwarning\fP: additionally show recoverable issues that most likely lead to unexpected behaviour and should be handled by the user

\fBnotice\fP: additionally show recoverable issues that sometimes lead to unexpected behaviour and might be handled by the user.

\fBinfo\fP: additionally show informational messages

\fBrule\fP: additionally show messages to help to debug the path rule matching

\fBcompare\fP: additionally show messages to help to debug file comparison and (special) attribute handling

\fBconfig\fP: additionally show messages to help to debug config and rule parsing

\fBdebug\fP: additionally show messages that are useful to debug the application (very verbose)

\fBthread\fP: additionally show messages about thread processing (e.g. broadcast events)

\fBtrace\fP: detailed information about the flow of the application (e.g. in-loop logging) (even more verbose)

.RE

.RE

.IP "verbose (type: number, range: 0 - 255, default: \fB5\fR, REMOVED in AIDE v0.17)"
Removed, use \fBlog_level\fR and \fBreport_level\fR options instead.
.IP "gzip_dbout (type: bool, default: \fBfalse\fR)"
Whether the output to the database is gzipped or not. This option is available
only if zlib support is compiled in.
.IP "root_prefix (type: path, default: \fB<empty>\fR, added in AIDE v0.16)"
The prefix to strip from each file name in the file system before applying the
rules and writing to database. AIDE removes a trailing slash from the prefix.
If there are multiple root_prefix lines then the first one is used. This option
has no effect in compare mode.
.IP "acl_no_symlink_follow (type: bool, default: \fBfalse\fR)"
Whether to check ACLs for symlinks or not. This option
is available only if acl support is compiled in.
.IP "warn_dead_symlinks (type: path, default: \fBfalse\fR)"
Whether to warn about dead symlinks or not.
.IP "config_version (type: string, default: \fB<empty>\fR)"
The value of config_version is printed in the report and also printed
to the database. This is for informational purposes only. It has no
other functionality.
.IP "config_check_warn_unrestricted_rules (type: bool, default: \fBfalse\fR, added in AIDE v0.18)"
Whether to warn on unrestricted rules during config check. To explicitly
define unrestricted rules use \fB0\fR (zero) as restriction character.
.IP "num_workers (type: number|percentage, default: \fB1\fR, added in AIDE v0.18)"
Specifies the number of simultaneous workers (threads) for file attribute
processing (i.a. hashsum calculation).

The number of workers can be a positive integer (e.g. '4') or the percentage of
the available processors (e.g. '60%'). The resulting number of workers is
rounded up to the next integer (e.g. '60%' of 8 processors results in 5
workers).

If there are multiple \fInum_workers\fR lines then the first one is used.

Use 0 (zero) to disable (multi-threaded) workers.

The default value 1 (single worker thread) may be changed in a future release.

.PP

.SH REPORT OPTIONS
.PP

.IP "report_url (type: URL, default: \fBstdout\fR)"

The URL that the output is written to.

Multiple instances of the \fBreport_url\fR option are supported.

.RS
.B Examples:

.RS 3
.nf
.B report_url=file:/var/log/aide.log
.fi

.RS 3
Write report to \fI/var/log/aide.log\fR.
.RE
.RE

.RS 3
.nf
.B report_url=stdout
.fi

.RS 3
Write report to \fIstdout\fR.
.RE
.RE

.RS 3
.nf
.B report_url=syslog:<LOG_FACILITY>
.fi

.RS 3
Write report to \fIsyslog\fR using \fILOG_FACILITY\fR.
.RE
.RE

.RE

.PP
The following report options are available (to take effect they
have to be set before \fBreport_url\fR):
.PP

.IP "report_level (type: report level, default: \fBchanged_attributes\fR, added in AIDE v0.17)"

The report level to use. The available report levels are as follows:

.RS
\fBminimal\fP: print single line whether AIDE found differences to the database

\fBsummary\fP: additionally print number of added, removed and changed files

\fBdatabase_attributes\fP: additionally print database checksums

\fBlist_entries\fP: additionally print lists of added, removed and changed entries

\fBchanged_attributes\fP: additionally print details about changed entries

.RS
.B Example:
.RS 3

.EX
File: /var/lib/apt/extended_states
 Perm      : -rw-r--r--                       | -rw-------
 Uid       : 0                                | 106
.EE

.RE

The left column shows the old value (e.g. from the \fIdatabase_in\fR database) and the right
column shows the new value (e.g. from the file system).

.RE

\fBadded_removed_attributes\fP: additionally print details about added and removed attributes

\fBadded_removed_entries\fP: additionally print details about added and removed entries
.RE

.IP "report_format (type: report format, default: \fBplain\fR, added in AIDE v0.18)"
The report format to use. The available report formats are as follows:

.RS
\fBplain\fP: Print report in plain human-readable format.

\fBjson\fP: Print report in json machine-readable format.
.RE

.IP "report_base16 (type: bool, default: \fBfalse\fR, added in AIDE v0.17)"
Base16 encode the checksums in the report. The default is to
report checksums in base64 encoding.
.IP "report_detailed_init (type: bool, default: \fBfalse\fR, added in AIDE v0.16)"
Report added files (report level >= \fBlist_entries\fP) and their details (report
level >= \fBadded_removed_entries\fP) in initialization mode.
.IP "report_quiet (type: bool, default: \fBfalse\fR, added in AIDE v0.16)"
Suppress report output if no differences to the database have been found.
.IP "report_append (type: bool, default: \fBfalse\fR, added in AIDE v0.17)"
Append to the report URL.
.TP
report_grouped (type: bool, default: \fBtrue\fR, added in AIDE v0.17)
.TQ
grouped (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
Group the files in the report by added, removed and changed files.
.TP
report_summarize_changes (type: bool, default: \fBtrue\fR, added in AIDE v0.17)
.TQ
summarize_changes (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
Summarize changes in the added, removed and changed files
sections of the report.

The general format is like the string YlZbpugamcinHAXSEC, where Y is
replaced by the file-type ('\fBf\fP' for a regular file, '\fBd\fP' for a
directory, '\fBl\fP' for a symbolic link, '\fBc\fP' for a character
device, '\fBb\fP' for a block device, '\fBp\fP' for a FIFO, '\fBs\fP' for
a unix socket, '\fBD\fP' for a Solaris door, '\fBP\fP' for a Solaris
event port, '\fB!\fP' if file type has changed and '\fB?\fP' otherwise).

The Z is replaced as follows: A '\fB=\fP' means that the size has not changed,
a '\fB<\fP' reports a shrinked size and a '\fB>\fP' reports a grown size.
The other letters in the string are the actual letters that will be output
if the associated attribute for the item has been changed or a '\fB.\fP' for no
change.

Otherwise a '\fB+\fP' is shown if the attribute has been added, a '\fB-\fP' if
it has been removed, a '\fB:\fP' if the attribute is ignored (but not forced)
or a ' ' if the attribute has not been checked.

The exceptions to this are: (1) a newly created file replaces each letter with
a '\fB+\fP', and (2) a removed file replaces each letter with a '\fB-\fP'.

The attribute that is associated with each letter is as follows:

.RS
.IP o
A \fBl\fP means that the link name has changed.
.IP o
A \fBb\fP means that the block count has changed.
.IP o
A \fBp\fP means that the permissions have changed.
.IP o
An \fBu\fP means that the uid has changed.
.IP o
A \fBg\fP means that the gid has changed.
.IP o
An \fBa\fP means that the access time has changed.
.IP o
A \fBm\fP means that the modification time has changed.
.IP o
A \fBc\fP means that the change time has changed.
.IP o
An \fBi\fP means that the inode has changed.
.IP o
A \fBn\fP means that the link count has changed.
.IP o
A \fBH\fP means that one or more message digests have changed.
.RE

.RS
The following letters are only available when explicitly enabled using configure:
.RE

.RS
.IP o
A \fBA\fP means that the access control list has changed.
.IP o
A \fBX\fP means that the extended attributes have changed.
.IP o
A \fBS\fP means that the SELinux attributes have changed.
.IP o
A \fBE\fP means that the file attributes on a second extended file system have changed.
.IP o
A \fBC\fP means that the file capabilities have changed.
.RE
.IP "report_ignore_added_attrs (type: attribute expression, default: \fBempty\fR, added in AIDE v0.16)"
Attributes whose addition is to be ignored in the report.
.IP "report_ignore_removed_attrs (type: attribute expression, default: \fBempty\fR, added in AIDE v0.16)"
Attributes whose removal is to be ignored in the report.
.TP
report_ignore_changed_attrs (type: attribute expression, default: \fBempty\fR, added in AIDE v0.16)
.TQ
ignore_list (REMOVED in AIDE v0.17)
Attributes whose change is to be ignored in the report.
.TP
report_force_attrs (type: attribute expression, default: \fBempty\fR, added in AIDE v0.16)
.TQ
report_attributes (REMOVED in AIDE v0.17)
Attributes which are always printed in the report for changed files. If an attribute is both ignored and forced the
attribute is not considered for file change but printed in the final report as long as the file has been otherwise changed.
.IP "report_ignore_e2fsattrs (type: string, default: \fB0\fR, added in AIDE v0.16)"
List (no delimiter) of ext2 file attributes which are to be ignored in the report.
See
.BR chattr (1)
for the available attributes. Use \fB0\fR (zero) to not ignore any
attribute. Ignored attributes are represented by a ':' in the report.

By default AIDE also reports changes of the read-only attributes mentioned in
.BR chattr (1)
(see example below how to ignore those changes).

.RS
.B Example:

.RS 3
Ignore changes of the read-only ext2 file attributes verify (V), inline data
(N), indexed directory (I) and encrypted (E):

.RS 3
.nf
report_ignore_e2fsattrs=VNIE
.fi
.RE
.RE
.RE

.PP
.SH "GROUPS"
.PP

Groups are aggregations of attributes.

Group definitions have the format <group name> = <attribute expression>.

Group names are limited to alphanumeric characters (\fBA-Za-z0-9\fP).

See ATTRIBUTES for a description of all available attributes.

.RE

.B Default groups
.TP
.B "R"
p+ftype+i+l+n+u+g+s+m+c+md5+X
.TP
.B "L"
p+ftype+i+l+n+u+g+X
.TP
.B ">"
Growing file p+ftype+l+u+g+i+n+s+growing+X
.TP
.B "H"
all compiled in hashsums (added in AIDE v0.17)
.TP
.B "X"
acl+selinux+xattrs+e2fsattrs+caps (if attributes are compiled in, added in AIDE v0.16)
.TP
.B "E"
Empty group
.TP
Use 'aide --version' to list the default compound groups.

.RE

.PP
.SH "RULES"
.PP
AIDE supports three types of rules:
.TP
.B "Regular rule:"
<regex> <attribute expression>

Files and directories matching the regular expression
are added to the database.

.TP
.B "Negative rule:"
!<regex>

Files and directories matching the regular expression
are ignored and not added to the database.
The children of matching directories are also ignored.

.TP
.B "Equals rule:"
=<regex> <attribute expression>

Files and directories matching the regular expression
are added to the database.
The children of directories are only added
if the regular expression ends with a "/".
The children of sub-directories are not added at all.

.PP
Every regular expression has to start with an explicit "/".
An implicit ^ is added in front of each regular expression.
In other words,
the regular expressions are matched at the first position
against the complete path.
Special characters can be escaped using
two-digit URL encoding (for example, %20 to represent a space).

AIDE uses a deepest-match algorithm to find the tree node to search,
but a first-match algorithm inside the node.
(see also \fBrule\fP log level).

See EXAMPLES for examples.
.PP
More in-depth discussion of the selection algorithm can be found in
the AIDE manual.
.IP
.PP
.SH "RESTRICTED RULES"
.PP
Restricted rules are like normal rules but can be
restricted to file types (added in AIDE v0.16). The following file types are supported:

.TP
.B "\fBf\fP"
restrict rule to regular files
.TP
.B "\fBd\fP"
restrict rule to directories
.TP
.B "\fBl\fP"
restrict rule to symbolic links
.TP
.B "\fBc\fP"
restrict rule to character devices
.TP
.B "\fBb\fP"
restrict rule to block devices
.TP
.B "\fBp\fP"
restrict rule to FIFO files
.TP
.B "\fBs\fP"
restrict rule to UNIX sockets
.TP
.B "\fBD\fP"
restrict rule to Solaris doors
.TP
.B "\fBP\fP"
restrict rule to Solaris event ports
.TP
.B "\fB0\fR"
empty restriction,
i.e. don't restrict rule (added in AIDE v0.18)
.PP
Multiple restrictions can be given
as a comma-separated list.
.PP
The syntax of restricted rules is as follows:
.TP
.B "Restricted regular rule"
<regex> <file types> <attribute expression>
.TP
.B "Restricted negative rule"
!<regex> <file types>
.TP
.B "Restricted equals rule"
=<regex> <file types> <attribute expression>


.PP
.SH "MACRO LINES"
.PP
.IP "@@define \fBVAR\fR \fBval\fR"
Define variable \fBVAR\fR to value \fBval\fR.
.IP "@@undef \fBVAR\fR"
Undefine variable \fBVAR\fR.
.TP
@@if \fBboolean_expression\fR (added in AIDE v0.18)
.TQ
@@else
.TQ
@@endif
@@if begins an if statement. It must be terminated with an @@endif statement.
The lines between @@if and @@endif are used if the \fBboolean_expression\fR
evaluates to \fBtrue\fR.  If there is an @@else statement then the part between
@@if and @@else is used if \fBboolean_expression\fR evaluates to \fBtrue\fR
otherwise the part between @@else and @@endif is used.

.RS
Available operators and functions in boolean expressions:

.RS 3
.nf
.B not \fIboolean_expression\fR
.fi
.RS 3
Evaluates to true if the \fIboolean_expression\fR is false, and false if the
\fIboolean_expression\fR is true.
.RE
.RE

.RS 3
.nf
.B defined \fIVARIABLE\fR
.fi

.RS 3
Evaluates to \fBtrue\fR if \fIVARIABLE\fR is defined.
.RE
.RE

.RS 3
.nf
.B hostname \fIHOSTNAME\fR
.fi

.RS 3
Evaluates to \fBtrue\fR if \fIHOSTNAME\fR equals the \fBhostname\fR of the machine
that AIDE is running on. \fBhostname\fR is the name of the host without the
domainname (ie 'hostname', not 'hostname.example.com').
.RE
.RE

.RS 3
.nf
.B exists \fIPATH\fR
.fi

.RS 3
Evaluates to \fBtrue\fR if \fIPATH\fR exists.
.RE
.RE

.RE

.IP "@@ifdef \fBVARIABLE\fR (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)"
same as \fB@@if defined VARIABLE\fR
.IP "@@ifndef \fBVARIABLE\fR (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)"
same as \fB@@if not defined VARIABLE\fR
.IP "@@ifhost \fBHOSTNAME\fR (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)"
same as \fB@@if hostname HOSTNAME\fR
.IP "@@ifnhost \fBHOSTNAME\fR (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)"
same as \fB@@if not hostname HOSTNAME\fR

.IP "@@{\fBVAR\fR}"
@@{\fBVAR\fR} is replaced with the value of the variable \fBVAR\fR.
If variable \fBVAR\fR is not defined an empty string is used.

Variables are supported in strings and in regular expressions of selection
lines.

.RS
Pre-defined marco variables:

.RS 3
\fB@@{HOSTNAME}\fP: hostname of the current system
.RE

.RE

.IP "@@include \fBFILE\fR"
Include \fBFILE\fR.

The content of the file is used as if it were inserted in this part of the
config file.

The maximum depth of nested includes is 16.

.IP "@@include \fBDIRECTORY\fR \fBREGEX\fR [\fBRULE_PREFIX\fR] (added in AIDE v0.17)"
Include all (regular) files found in \fBDIRECTORY\fR matching regular
expression \fBREGEX\fR (sub-directories are ignored). The file are included in
lexical sort order.

If \fBRULE_PREFIX\fR is set, all rules included by the statement are prefixed
with given \fBRULE_PREFIX\fR (added in AIDE v0.18). Prefixes from nested
include statements are concatenated.

The content of the files is used as if it were inserted in this
part of the config file.

.TP
@@x_include \fBFILE\fR (added in AIDE v0.17)
.TQ
@@x_include \fBDIRECTORY\fR \fBREGEX\fR [\fBRULE_PREFIX\fR]  (added in AIDE v0.17)
\fB@x_include\fR is identical to \fB@@include\fR, except that if a config file
is executable is is run and the output is used as config.

If the executable file exits with status greater than zero or writes to stderr
aide stops with an error.

For security reasons \fBDIRECTORY\fR and each executable config file must be
owned by the current user or root. They must not be group- or world-writable.

.IP "@@x_include_setenv \fBVAR\fR \fBVALUE\fR (added in AIDE v0.17)"

Adds the variable \fBVAR\fR with the value \fBVALUE\fR to the environment used
for config file execution.

Environment variable names are limited to alphanumeric characters
(\fBA-Za-z0-9\fP) and the underscore '\fB_\fR' and must not begin with a digit.

.PP

.SH TYPES

.B bool
.RS 3
Valid values are \fByes\fR, \fBtrue\fR, \fBno\fR or \fBfalse\fR.
.RE

.B "attribute expression"
.RS 3

An attribute expression is of the following form:
.IP
.nf
  <attribute/group>
| <expr> + <attribute/group>
| <expr> - <attribute/group>
.fi
.RE

.B URLS
.RS 3
Urls can be one of the following. Input urls cannot be used as outputs
and vice versa.
.RS

.IP "stdout"
.IP "stderr"
Output is sent to stdout, stderr respectively.
.IP "stdin"
Input is read from stdin.
.IP "file:/\fBpath\fR"
Input is read from \fBpath\fR or output is written to \fBpath\fR.
.IP "fd:\fBnumber\fR"
Input is read from filedescriptor \fBnumber\fR or output is written to
\fBnumber\fR.
.IP "syslog:\fBLOG_FACILITY\fR"
Output is written to syslog using \fILOG_FACILITY\fR.

.RE

.RE

.SH "ATTRIBUTES"
.PP
.B "File attributes"
.TP
.B "\fBftype\fR"
file type (added in AIDE v0.15)
.TP
.B "\fBp\fR"
permissions
.TP
.B "\fBi\fR"
inode
.TP
.B "\fBl\fR"
link name
.TP
.B "\fBn\fR"
number of links
.TP
.B "\fBu\fR"
user
.TP
.B "\fBg\fR"
group
.TP
.B "\fBs\fR"
size
.TP
.B "\fBb\fR"
block count
.TP
.B "\fBm\fR"
mtime
.TP
.B "\fBa\fR"
atime
.TP
.B "\fBc\fR"
ctime
.TP
.B "\fBacl\fR"
access control list
(requires \fIlibacl\fR)
.TP
.B "\fBselinux\fR"
selinux attributes
(requires \fIlibselinux\fR)
.TP
.B "\fBxattrs\fR"
extended attributes
(requires \fIlibattr\fR)
.TP
.B "\fBe2fsattrs\fR"
file attributes on a second extended file system,
see also \fB report_ignore_e2fsattrs \fP option
(requires \fIlibext2fs\fR, added in AIDE v0.15)
.TP
.B "\fBcaps\fR"
file capabilities
(requires \fIlibcap2\fR, added in AIDE v0.17)
.PP

Use 'aide --version' to show which compiled-in attributes are available.
.PP
.B "Special attributes"
.TP
.B "\fBS\fR"
check for growing size
(DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)

Use \fBgrowing+s\fR attributes instead
.TP
.B "\fBI\fR"
ignore changed filename

When \fBI\fR is used, the inode of the old file is used to search for
a moved file in the new database.

Source and target file have to be located in the same directory and must share
the same attributes (except for special attributes
\fBANF\fR, \fBARF\fR, \fBI\fR, \fBgrowing\fR, and \fBcompressed\fR).

For moved entries a change of the \fBctime\fR attribute is ignored.

.TP
.B "\fBgrowing\fR"
ignore growing file (added in AIDE v0.18)

When \fBgrowing\fR is used, changes of the following attributes are
ignored:

\fBsize\fR: if new size is greater than old size

\fBbcount\fR: if new bcount is greater than old bcount

\fBatime\fR: if new atime is greater than old atime

\fBmtime\fR: if new mtime is greater than old mtime

\fBctime\fR: if new ctime is greater than old ctime

\fBhashsums\fR: if the hashsum of the new file restricted to the old size equals the hashsums of the old file

For hashsum attributes the \fBgrowing\fR attribute is ignored in compare mode.

.TP
.B "\fBcompressed\fR"
ignore compressed file (added in AIDE v0.18)

When \fBcompressed\fR is used, the uncompressed hashsums of the
new compressed file (supported compressions: \fBgzip\fR) are used to search for the
uncompressed file in the old database.

The old uncompressed and the new compressed file have to be located in the same
directory and must share the same attributes (except for special attributes
\fBANF\fR, \fBARF\fR, \fBI\fR, \fBgrowing\fR, and \fBcompressed\fR) including at least
one hashsum.

Changes of the \fBinode\fR, \fBsize\fR, \fBbcount\fR and \fBctime\fR attributes are ignored.

The \fBgrowing\fR attribute (i.e. the old file size) is not considered for
compressed files during the calculation of the uncompressed hashsums.

The \fBcompressed\fR attribute is ignored in compare mode.

.TP
.B "\fBANF\fR"
allow new files

When 'ANF' is used, new files are added to the new database, but are
ignored in the report.
.TP
.B "\fBARF\fR"
allow removed files

When 'ARF' is used, files missing on disk are omitted from the new database,
but are ignored in the report.
.PP

.B Hashsums attributes
.TP
.B "md5"
MD5 checksum
(not in \fIlibgcrypt\fR FIPS mode)
.TP
.B "sha1"
SHA-1 checksum
.TP
.B "sha256"
SHA-256 checksum
.TP
.B "sha512"
SHA-512 checksum
.TP
.B "rmd160"
RIPEMD-160 checksum
.TP
.B "tiger"
tiger checksum
.TP
.B "haval"
haval256 checksum
(\fIlibmhash\fR only)
.TP
.B "crc32"
crc32 checksum
.TP
.B "crc32b"
crc32 checksum
(\fIlibmhash\fR only)
.TP
.B "gost"
GOST R 34.11-94 checksum
.TP
.B "whirlpool"
whirlpool checksum
.TP
.B "stribog256"
GOST R 34.11-2012, 256 bit checksum
(\fIlibgcrypt\fR only, added in AIDE v0.17)
.TP
.B "stribog512"
GOST R 34.11-2012, 512 bit checksum
(\fIlibgcrypt\fR only, added in AIDE v0.17)
.PP

Use 'aide --version' to show which hashsums are available.

.RE

.PP
.SH EXAMPLES
.TP
.B "/ R"
This adds all files on your machine to the database.
This one line is a fully qualified configuration file.
.TP
.B "!/dev$"
This ignores the /dev directory structure.
.TP
.B "=/foo R"
Only /foo and /foobar are taken into the database.
None of their children are added.
.TP
.B "=/foo/ R"
Only /foo and its children
(e.g. /foo/file and /foo/directory)
are taken into the database.
The children of sub-directories
(e.g. /foo/directory/bar) are not added.
.TP
.B "/ d,f R"
Only add directories and files to the database
.TP
.B "!/run d"
.TQ
.B "/run R"
Add all but directory entries to the database
.TP
.B "/run d R-m-c-i"
.TQ
.B "/run R"
Use specific rule for directories
.TP
Suggested Groups
.TP
.B "\fBOwnerMode\fR = p+u+g+ftype"
Check permissions, owner, group and file type
.TP
.B "\fBSize\fR = s+b"
Check size and block count
.TP
.B "\fBInodeData\fR = OwnerMode+n+i+Size+l+X"
.TQ
.B "\fBStaticFile\fR = m+c+Checksums"
Files that stay static
.PP
.B "\fBFull\fR = InodeData+StaticFile"
.TQ
.B "\fBFull\fR = ftype+p+l+u+g+s+m+c+a+i+b+n+H+X"
.TQ
.B "/ 0 Full"
This line defines group \fBFull\fR.
It has all attributes,
all compiled in hashsums (\fBH\fR) and
all compiled in extra file attributes (\fBX\fR).
See '--version' output for the compiled in hashsums and extra groups.
The example rule is the typical catch-all rule
at the end of the rule list.
.TP
.B "\fBVarTime\fR = InodeData+Checksums"
.TQ
.B "/etc/ssl/certs/ca-certificates\e\e.crt$ VarTime"
Files that change their mtimes or ctimes but not their contents.
.TP
.B "\fBVarInode\fR = VarTime-i"
.TQ
.B "/var/lib/nfs/etab$ f VarInode"
Files that are recreated regularly but do not change their contents
.TP
.B "\fBVarFile\fR = OwnerMode+n+l+X"
.TQ
.B "/etc/resolv\e\e.conf$ f VarFile"
Files that change their contents during system operation
.TP
.B "\fBVarDir\fR = OwnerMode+n+i+X"
.TQ
.B "/var/lib/snmp$ d VarDir"
Directories that change their contents during system operation
.TP
.B "\fBRecreatedDir\fR = OwnerMode+n+X"
.TQ
.B "/run/samba$ d RecreatedDir"
Directories that are recreated regularly and change their contents
.TP
Log Handling
.PP
Logs pose a number of special challenges to AIDE.
An active log is nearly constantly being written to.
The process of log rotation changes file names for
files that are supposed to have unaltered contents.
To save space, Logs are compressed in the process of their rotation,
and finally, they get deleted.
AIDE is supposed to handle all those cases without generating reports,
and it is still expected to flag the cases when
an attacker tampers with logs.
.PP
The following examples suggest a way to handle the
common case of log rotation with the logrotate(8) program,
with its options \fBcompress\fR, \fBdelaycompress\fR and \fBnocopytruncate\fR set.
The vast majority of logs are rotated this way on most Linux systems.
.TP
.B "\fBActLog\fR=Full+growing+ANF+I"
.TQ
.B "/var/log/foo\e\e.log$ f ActLog"
An Active Log is typically named foo.log.
It is constanty being written to.
The file does neither change its mode nor its inode number.
The size only increases,
and what is written to the file is not supposed to change (growing).
During log rotation,
foo.log is typically renamed to foo.log.1 (or foo.log.0)
and the process is instructed to write to a new foo.log.
Log content is written to a new file (ANF)
and will eventually be renamed to foo.log.1 (I).
The growing attribute suppresses reports for files that
just had content appended when compared to the database.
A change of the old content is still reported!
.TP
.B "\fBRotLog\fR=Full"
.TQ
.B "/var/log/foo\e\e.log\e\e.1$ f RogLog"
foo.log.0 or foo.log.1 is called the Rotated Log,
the previously active log renamed to the
first name of the Log Series that is formed by the rotation mechanism.
Right after rotation, the file might still being written to by the daemon.
To aide, this looks like the Active Log's size decreases and its
inode and timestamps change.
The Rotated Log is not supposed to change its attributes
once the process has stopped writing to it.
Reports might be generated if aide runs while the process
still writes to the Rotated Log,
but this is quite unlikely to happen.
Some log rotation mechanisms rename
foo.log to foo.log.0 to foo.log.1.gz,
others rename foo.log to foo.log.1 to foo.2.log.gz.
.TP
.B "\fBCompSerLog\fR=Full+I+compressed"
.TQ
.B "/var/log/foo\e\e.log\e\e.2\e\e.gz$ f CompSerLog"
In the next rotation step,
foo.log.1 gets compressed to foo.log.2.gz,
becoming the Compressed Log in the Log Series.
With this rule,
AIDE does not report this step because it
uncompresses the contents of the file
and takes the checksum of the uncompressed content.
The contents strictly doesn't change,
but some attribute changes are ignored (compressed).
.TP
.B "\fBMidlSerLog\fR=Full+I"
.TQ
.B "/var/log/foo\e\e.log\e\e.[345]\e\e.gz$ f MidlSerLog"
In the next log rotation, all foo.log.{x} get renamed to foo.log.{x+1}.
The other attributes are not supposed to change.
.TP
.B "\fBLastSerLog\fR=Full+ARF"
.TQ
.B "/var/log/foo\e\e.log\e\e.6\e\e.gz$ f LastSerLog"
The configuration of the log rotation process specifies a number of log
generations to keep. The last log in the series is therefore removed
from the disk (ARF).
.PP
aide 0.18 does not yet support the following cases of log rotation:
.TP
.B "empty files"
It might be the case that a log is actually created, but never written to.
This commonly happens on rarely used web servers that use the log rotation
as a method to cater for data protection regulation.
In result, all files in a series are identical,
breaking the heuristics that aide uses to detect log rotation.
A possible workaround is to begin a newly rotated log with a timestamp.
With logrotate, this can be done in a postrotate scriptlet.
.TP
.B "nodelaycompress"
With logrotate's \fBnodelaycompress\fR option,
a log is immediately compressed after renaming it from the Active Log name.
For the time being, it is recommended to always use the \fBdelaycompress\fR option
to avoid this behavior.
.TP
.B "copytruncate"
With logrotate's \fBcopytruncate\fR option,
the Active Log is not renamed and newly created but
copied to the new file name.
After the copy operation, the old file is truncated to zero size,
allowing the daemon to continuously write to the already open file handle.
aide uses the Inode number to detect the rotation process.
That doesn't work with \fBcopytruncate\fR because the Inode stays
with the Active Log.
For the time being, it is recommended to avoid the \fBcopytruncate\fR option
to avoid this behavior.
.PP
.SH HINTS
In the following, the first is not allowed in AIDE. Use the latter instead.
.IP
.B "/foo epug"
.IP
.B "/foo e+p+u+g"
.PP
.SH "SEE ALSO"
.BR aide (1)
.SH DISCLAIMER
All trademarks are the property of their respective owners.
No animals were harmed while making this webpage or this piece of
software.
